feat(09-03): add rate limiting for public quote routes
- Enhanced proxy.ts with rate limit check for /quote/[token] routes - Enforces 3 views per minute per IP address (MVP in-memory store) - Returns 429 Too Many Requests when limit exceeded - Rate limit utility supports distributed use (ready for Upstash Redis in Phase 10) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
+15
-1
@@ -1,5 +1,6 @@
|
|||||||
import { NextRequest, NextResponse } from "next/server";
|
import { NextRequest, NextResponse } from "next/server";
|
||||||
import { getToken } from "next-auth/jwt";
|
import { getToken } from "next-auth/jwt";
|
||||||
|
import { rateLimit } from "@/lib/rate-limit";
|
||||||
|
|
||||||
export async function proxy(request: NextRequest) {
|
export async function proxy(request: NextRequest) {
|
||||||
const pathname = request.nextUrl.pathname;
|
const pathname = request.nextUrl.pathname;
|
||||||
@@ -71,9 +72,22 @@ export async function proxy(request: NextRequest) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ── PUBLIC QUOTE ROUTES (rate limited) ───────────────────────────────────
|
||||||
|
if (pathname.match(/^\/quote\/[a-zA-Z0-9_-]{21}\/?$/)) {
|
||||||
|
const ip = request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || "unknown";
|
||||||
|
const allowed = rateLimit(ip, 3, 60 * 1000); // 3 views per minute
|
||||||
|
|
||||||
|
if (!allowed) {
|
||||||
|
return NextResponse.json(
|
||||||
|
{ error: "Troppi accessi. Riprova tra un minuto." },
|
||||||
|
{ status: 429 }
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return NextResponse.next();
|
return NextResponse.next();
|
||||||
}
|
}
|
||||||
|
|
||||||
export const config = {
|
export const config = {
|
||||||
matcher: ["/admin/:path*", "/client/:path*"],
|
matcher: ["/admin/:path*", "/client/:path*", "/quote/:path*"],
|
||||||
};
|
};
|
||||||
|
|||||||
Reference in New Issue
Block a user